Page 1 of 2

LDAP not working

PostPosted: Mon Oct 28, 2013 11:25 am
by lloyd.owens
I am running Omero 4.4 with an application called Columbus version 2.4.
LDAP is configured as shown below from the omero config get command

omero.data.dir=/u99/repository
omero.db.name=omero4_4
omero.db.pass=columbus
omero.db.patch=0
omero.db.poolsize=50
omero.db.user=columbus
omero.db.version=OMERO4.4
omero.ldap.base=dc=enterprise,dc=amgen,dc=com
omero.ldap.config=true
omero.ldap.new_user_group=ColumbusARG
omero.ldap.password=
omero.ldap.sync_on_login=true
omero.ldap.urls=ldap://ldap.amgen.com:389
omero.ldap.username=
omero.security.default_permissions=rwr---
omero.upgrades.url=http://0.0.0.0/

The same config is in the /usr/local/PerkinElmerCTG/Columbus2.4/etc/omero.properties file.

A group has been created in Omero called ColumbusARG as shown from the command

bin/omero group list

id | name | perms | # of owners | # of members
----+-------------+--------+-------------+--------------
0 | system | rw---- | 1 | 0
1 | user | rwr-r- | 0 | 4
2 | guest | rw---- | 0 | 1
3 | ARG | rwr--- | 1 | 2
53 | ColumbusARG | rwr--- | 0 | 0


The ColumbusARG group (containing 3 members) is also created on the Enterprise LDAP ( LDAPv3) server.

The Problem: The login fails when any of the 3 members try to login/authenticate to Omero. The error log
/usr/local/PerkinElmerCTG/Columbus2.4/var/log/Blitz-0.log show the failed login but does not mention anything to do with LDAP.

When I query the Enterprise LDAP server for the members of the group I get the following output indicating that the group is setup and contain the 3 members.

#ldapsearch -LLL -h ldap.amgen.com -p 389 -x -b dc=enterprise,dc=amgen,dc=com '(cn=ColumbusARG)'

dn: cn=ColumbusARG, ou=Gerb, ou=Applications, ou=Groups, dc=Enterprise,dc=amgen,dc=com
uniqueMember: uniqueidentifier=118744,ou=people,dc=enterprise,dc=amgen,dc=com
uniqueMember: uniqueidentifier=17037,ou=people,dc=enterprise,dc=amgen,dc=com
uniqueMember: uniqueidentifier=6593,ou=people,dc=enterprise,dc=amgen,dc=com
owner: uniqueidentifier=118744,ou=people,dc=enterprise,dc=amgen,dc=com
objectClass: groupofuniquenames
objectClass: top
cn: ColumbusARG

Re: LDAP not working

PostPosted: Tue Oct 29, 2013 4:58 pm
by cxallan
It is unfortunately rather difficult for us to be of much help with a Columbus install of OMERO. You might have some luck contacting PerkinElmer directly. I assume you have gotten this far by following the OMERO LDAP page?

http://www.openmicroscopy.org/site/supp ... -ldap.html

The configuration itself looks fine. Are you attempting an anonymous bind to your LDAP server?

Re: LDAP not working

PostPosted: Wed Oct 30, 2013 10:46 am
by lloyd.owens
Thanks cxallan for your reply.
The LDAP support page was of great help. I would not have gotten this far without it.
Our LDAP server allows any user to run an LDAP querry. So yes, I am trying to run an anonymous bind to my LDAP server. I thouhgt this method would be a simple authentication test before configuring the
omero.ldap.password=
omero.ldap.username=

Re: LDAP not working

PostPosted: Thu Oct 31, 2013 10:58 am
by lloyd.owens
Whatg command can I run to confirm that the LDAP Plug-in is installed?

Re: LDAP not working

PostPosted: Thu Oct 31, 2013 4:53 pm
by cxallan
It's included with the base install so there's no way to check extensively without messing around with a lot of internal configuration files. One theory I had was that your objectClass was different. The default objectClass is "person" if you perform your ldapsearch with (objectClass=person) do you still get results?

Re: LDAP not working

PostPosted: Fri Nov 01, 2013 4:46 pm
by lloyd.owens
ldapsearch with (objectClass=person) gives lots of users in the company. It shows my dn as:-
dn: uniqueidentifier=118745,ou=People,dc=Enterprise,dc=amgen,dc=com

Re: LDAP not working

PostPosted: Mon Nov 04, 2013 4:09 pm
by jmoore
There have been some recent issues trying to get OMERO to work with Active Directory that may be related (See http://lists.openmicroscopy.org.uk/pipermail/ome-users/2013-November/004034.html on the mailing lists)

Could you show an example ldapsearch query for the users, as opposed to the group? What interests me is the "cn" value that appears since that is what is used as the user login. See "user_mapping" for more information.

Cheers,
~Josh

Re: LDAP not working

PostPosted: Mon Nov 04, 2013 5:20 pm
by lloyd.owens
Here is the relevant output from the following search
ldapsearch -LLL -h ldap.amgen.com -p 389 -x -b dc=enterprise,dc=amgen,dc=com '(cn=Owens, Lloyd)'

dn: uniqueidentifier=118744,ou=People,dc=Enterprise,dc=amgen,dc=com
memberOf: cn=teamsus1_users,ou=teamsus1,ou=EDM Teams,ou=EDM,ou=Groups,dc=Enterprise,dc=amgen,dc=com
memberOf: cn=edmcrfus1_users,ou=edmcrfus1,ou=EDM Crf,ou=EDM,ou=Groups,dc=Enterprise,dc=amgen,dc=com
memberOf: cn=edmcorpus1_users,ou=edmcorpus1,ou=EDM Corporate,ou=EDM,ou=Groups,dc=Enterprise,dc=amgen,dc=com
objectClass: inetorgperson
objectClass: organizationalperson
objectClass: person
objectClass: top
amgen-comCN: Lloyd Owens
cn: Owens, Lloyd
employeeType: Consultant
givenName: Lloyd
sn: Owens
uid: lloydo
uniqueIdentifier: 118744
**********
I noted that the output does not list that I am in the columbusarg group

Also, if I use my login id in the search
ldapsearch -LLL -h ldap.amgen.com -p 389 -x -b dc=enterprise,dc=amgen,dc=com '(cn=lloydo)'
I get no output whatsoever.

NB: At my company, LDAP is in sync with Active Directory so that my windows login id and password is passed to LDAP. I

Re: LDAP not working

PostPosted: Tue Nov 05, 2013 7:35 am
by jmoore
Hi Lloyd,

lloyd.owens wrote:dn: uniqueidentifier=118744,ou=People,dc=Enterprise,dc=amgen,dc=com
cn: Owens, Lloyd
uid: lloydo


Based on the default setting for user_mapping, you should be able to login with "Owens, Lloyd". If you want to login with lloydo, you'll need to run:
Code: Select all
bin/omero config set omero.ldap.user_mapping omeName=uid,firstName=givenName,lastName=sn,email=mail


Also, if I use my login id in the search
ldapsearch -LLL -h ldap.amgen.com -p 389 -x -b dc=enterprise,dc=amgen,dc=com '(cn=lloydo)'
I get no output whatsoever.


Can you try with the search '(uid=lloydo)' ?

Cheers,
~Josh

Re: LDAP not working

PostPosted: Tue Nov 05, 2013 10:25 am
by lloyd.owens
The search
ldapsearch -LLL -h ldap.amgen.com -p 389 -x -b dc=enterprise,dc=amgen,dc=com '(uid=lloydo)'
Gives me sensible output the same result as
ldapsearch -LLL -h ldap.amgen.com -p 389 -x -b dc=enterprise,dc=amgen,dc=com '(cn=Owens, Lloyd)'
shown in a previous post.